Cyber Security Management Policy

Introduction

The importance of cyber security management has not only become a matter of national concern, but also a chief consideration when socio-economic importance is in question. Given the current security breaches in both government and private companies systems, interruptions have been faced, and in some cases, losses have been reported. In the quest to address cyber security concerns, a number of policies have been adopted to help in curbing these crimes and ensure consistency, reliability and efficiency of different systems. In the first part of this paper, two scholarly articles (Moor et al., 2010 and Deloitte, 2013) will be reviewed to provide a recommendation and justification for emergency management cyber security policy model. Consequently, the second part will provide responses to a number of questions based on the articles reviewed.

The policies will trace the internet users’ paths to control their navigation and ensure they are on the recommended track, aligned to the cyber security stipulated guidelines. Without the control measures for the internet users and providers, they can deviate from the pre-determined perspectives and cause discrepancies in information access and sharing (Moore et al., 2010). When individual’s or organizations’ sensitive data reaches the public domain, it no longer remains private but becomes irretrievable, which increases its risk of manipulation and exploitation by attackers (Goodyear et al., 2010). Cybercrime perpetrators have developed various schemes to reach and exploit the peoples’ computer Operating Systems (OS) and expose sensitive data to the public.

Cybersecurity/EM Policy Analytical Model

The traditional regulatory model should formulate various policies efficacious in barring internet users, internet providers, and hackers from obtaining and sharing personal and sensitive data with the public. The policies should vividly explain the consequences of illegally obtaining and sharing information about a particular individual or organization. The policies should get standardized globally, and concerned government agencies should act accordingly to bring the perpetrators behind bars (Goodyear et al., 2010). It has been noticed that many individuals are not aware or concerned about the existing policies and regulations governing cybersecurity, and they think that it is the government’s mandate to ensure that the internet is free from insecurity menace. The critical policy should focus on enlightening the populations on the policies aimed at protecting the internet.

Research or Policy Question for Further Research

Does educating or capacity building among various communities accessing the internet and creating regulations effective in enhancing cybersecurity?

What Needs to be Done and How do We get it Done

Educating the public on the policies governing cybersecurity and building capacity of individuals on various initiatives to protect their gadgets, emails, and data sharing is essential in curbing high incidences of cyber-crimes. Public sensitization also introduces the public to their role in solving or avoiding cybersecurity issues by creating awareness on the encryption of sensitive information. Additionally, awareness will enable them to understand various impacts of avoiding measures aligned to securing data from cyber perpetrators (Goodyear et al., 2010). Lastly, public awareness will impact e-business as the world is rapidly transforming from physical retails to online retails. Most organizations should adopt sophisticated security measures to avoid information/data breach.

Cybersecurity framework should continuously get updated to identify and solve emerging critical and recurring patterns concerning cyber threats and help create an emergency management system that will help realize the damages associated with cyber-attacks. The framework will ensure the institutionalization of a unique plan to counter cyber insecurity issues. Furthermore, it will bring the attention of local and state governments to work unanimously, and in a coordinated manner with the private sector in solving the increasing cyber insecurity. According to Goodyear et al. (2010), a partnership between various levels of government and private, as well as coordination of federal resources is mandatory in finding a solution to the problem.

Moreover, incident response policy will enhance citizens’ awareness of their role in the interventions and measures taken to enhance cybersecurity. The policy will act as a levelling ground for communication and formulation of formidable frameworks that help bridge the cyber insecurity, and help set immediate interventions for any threat attempt (Goodyear et al., 2010). The policy will also enhance the ethical decision-making process among various stakeholders concerned with tightening cybersecurity.

Policy concerning personal device use will bar individuals from illegally obtaining and sharing organizations’ data. The policy will ensure that the employees are governed from accessing their various institutions’ information to extort or blackmail them for personal gains (Moore et al., 2010). Moreover, the policy will ensure that users protect their devices with stronger passwords, as well as update the security of their software and use secured networks.

Lastly, data sharing and emailing policies ensure that email and data sharing are overseen effectively and the devices in use protected. A study by Jayawarden et al. (2015) recommends enacting a policy that prevents employees from accessing certain attachment files directed to the organization unless the source is authenticated and safe. Moreover, various institutions should scrutinize the files send to their emails to determine the authenticity of senders, and more importantly ensure that the data is consistent (Moore et al., 2010). The sharing of data and emails should get done only on the company’s network, and any breach of the set standards should lead to suspensions and job contract termination, as stipulated in the policy concerned with discipline.

Will a Traditional Regulatory Model Work?

According to Jayawarden et al. (2015), a combination of informal and formal approaches will ensure flexible, sectorial, and incremental policies that will strengthen the cybersecurity issue. As Clinton (2011) adds, the traditional regulatory model will work in one condition that the regulatory processes are cautiously handled, and the political factors tend to major on the intended floor, rather than creating a ceiling for acceptable characteristics. The creation of new models without streamlining the old model will allow a window of opportunity to the Advanced Persistent Threats (APT) to compromise the already formulated policies (Clinton, 2011). The traditional model should be accessed in terms of their costs and innovativeness. The model is sound and widely accepted because it is rooted in public-private partnerships.

Does a Newer Model Need to be developed for uniquely 21^st Century Issues?

There is a need to develop a newer model to tackle the increasing issues of cyber-crimes. As such, the model should not necessarily aim at creating new regulations because of the interconnected issues related to the internet. The new model should aim at countering the high incentives aimed at facilitating cyber-attacks. It is clear that perpetrators offer great financial incentives in favor of people behind cyber-crimes, and thus the crime is linked to high profitability. The new model should also figure out how to protect or eradicate sites that educate users on cyber-attack methods and techniques. The new model should be unique in ensuring that cybersecurity enhancement methods are not overburdening the people, but they are productivity in securing the internet sector (Clinton, 2011). Lastly, the formal model should bridge the old model’s existing gaps rather than replace the old model.

Whom Should the Government Regulate?

In partnership with private sectors, the government should develop desirable regulations to regulate internet system vendors, internet users, internet service providers, and companies concerned with web pages (Clinton, 2011).

Research or Policy Question for Further Research

Why are several interventions to enhance cybersecurity such as public-private partnerships, emailing, data sharing regulations, and public awareness not successful in addressing the problem of cybersecurity? Does this imply that the interventions are not implemented effectively, or cyber attackers are using technology that is ahead of the policymakers, or are they part of the system in charge of cyber security?

Conclusion

Cyberspace occupies the global socioeconomic space in the current century. Cyberspace has become an essential infrastructure on which modern-day societies depend on, and it has changed how people communicate and interact. However, cybersecurity threat has also become a global problem because of fear of losing and compromising sensitive data by cybercriminals; therefore, enhancing cybersecurity is an indispensable global issue. Some studies have insisted on modifying the old regulatory model, others have recommended developing a newer model, while others have proposed both the old and new regulatory models. The stakeholders mandated to find a solution to the problem should employ both models because some of the threats are reoccurring ones, while others are new.

Moreover, the Devolution of cybersecurity to personal companies and internet users, and monitoring cybersecurity by both government and private agencies will ensure a high level of sanity in the IT industry. The devolution and monitoring process should be guided by a precisely developed policy that indicates the responsibilities of the involved parties, and set the terms of pre-determined agreements. The policy should accord both parties equal powers in decision-making and create interventions that impact cybersecurity. This way, the policy will enable resource mobilizations from various agencies and create tactful interventions to mitigate the cyber-threat issues. This paper recommends further research on why policies and other interventions developed to curb cyber threats have not been successful.

References

Clinton, L. (2011). A relationship on the rocks: Industry-government partnership for cyber defense. Journal of Strategic Security, 4 (2), 97-112. DOI: http://dx.doi.org/10.5038/1944-0472.4.2.6. Retrieved from http://scholarcommons.usf.edu/jss/vol4/iss2/7

Deloitte-NASCIO. (, 2013). Cybersecurity study state governments at risk: A call for collaboration and compliance. Deloitte and the National Association of State Chief Information Officers.

Goodyear, M., Portillo, S., Goerdel, H. T., Williams, L. (2010). Cybersecurity management in the states: The emerging role of Chief Information Security Officers. IBM Center for the Business of Government.

Jayawardane, S., Larik, J. E., & Jackson, E. (2015). Cyber Governance: Challenges, Solutions, and Lessons for Effective Global Governance. The Hague Institute for Global Justice Policy Brief.

Moore, M., Wermuth, M.A., Castaneda, L.W., Chandra, A., Noricks, D., Resnick, A.C….. Burks, J.J. (2010). Bridging the gap: Developing a tool to support local civilian and military disaster preparedness. Santa Monica, CA: RAND, 21-80.